Distroless Docker Images for Production

Most production images ship more than they need: shells, package managers, build tools, debug utilities. Distroless images keep only the runtime and required libraries. Less stuff = smaller size, fewer vulnerabilities, faster pulls, and a reduced attack surface.

Why It Matters (Quick)

• Smaller image → quicker deployments and scale events
• Fewer packages → fewer CVEs to track
• No shell/tools → harder to misuse after compromise
• Clearer, reproducible builds with multi-stage Dockerfiles

Core Factors Before Promoting

1. Pin the base image tag or digest (avoid latest)
2. Lock dependencies (requirements.txt)
3. Ship only runtime content (no compilers, caches, temp files)
4. Scan for vulnerabilities (Trivy/Grype)
5. Check size & record a baseline
6. Ensure no secrets in layers (docker history)
7. Basic observability (logs + health endpoint)
8. (Optional) Generate SBOM / sign image when pipeline matures

Python Distroless Example

Install dependencies into a folder, copy only what’s needed.

# Build stage
FROM python:3.11-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt --target /packages
COPY src/ .

# Runtime stage (distroless)
FROM gcr.io/distroless/python3-debian11
WORKDIR /app
COPY --from=builder /packages /packages
COPY --from=builder /app /app
ENV PYTHONPATH=/packages
ENTRYPOINT ["python", "/app/main.py"]

Minimal Checklist

• [ ] Base image pinned
• [ ] Dependencies locked
• [ ] No critical CVEs after scan
• [ ] Size acceptable
• [ ] Runs without shell (smoke test)
• [ ] No secrets in layers
• [ ] (Optional) SBOM / signature

When to Delay Distroless

Early prototyping or heavy interactive debugging. Adopt it once the service stabilizes.

References

• Distroless: https://github.com/GoogleContainerTools/distroless
• Trivy: https://github.com/aquasecurity/trivy
• Syft: https://github.com/anchore/syft

If useful, share it. Reach out via the contact section for a non‑root variant.